LUKS Encryption Key on Initial Reboot

I am currently attempting to use Packer to automate a ISO to OVA VMWare builder. Currently all is fine except I cannot figure out a way to automate either Packer or the preseed file to enter the encryption passcode on the initial reboot.

I find it hard to believe that no one has ran into this problem before me, but I cannot seem to find anyone who had this problem.

Currently this is being performed using a headless VMWare builder script for Debian Linux 10.0 with LUKS LVM volume encryption. After reboot and selecting the OS in the GRUB bootloader, you are greeted with this screen, which prompts you to enter the decryption key. I am having to this manually for the builder to proceed. I would like this part to be automated.

I ran into this recently and others have before us but the discussed solutions didn’t work for me.

The dropbear initrd approach IMO is too complex to configure during the install process. I didn’t even attempt this as debugging would be painful. If remote disk decryption via SSH is desired, it should be configured with a Packer provisioner like Ansible.

AFAICT, Packer does not allow commands to be executed between the install and provisioning stages. The provisioner won’t start until the SSH communicator is active. So decrypting the disk with a provisioner is hopeless.

I did, however, find a hacky solution for my use-case with Debian 11 and the VirtualBox builder: use a background script to enter the disk decryption password at the right time. Just set up the necessary Packer variables (vm_name and disk_passphrase) and run Packer with a tag-along background script like this:

./decrypt_disk.sh $VM_NAME $DISK_PASSPHRASE &
packer build -var "vm_name=$VM_NAME" -var "disk_passphrase=$DISK_PASSPHRASE" .

The decrypt_disk.sh script waits for the installer ISO to be ejected in order to determine when to supply the disk decryption passphrase via VBoxManage:

#!/bin/bash

VM_NAME=$1
PASSWORD=$2

ENTER_KEY_DOWN=1c
ENTER_KEY_UP=9c


isInstallerIsoEjected() { 
    echo "$(VBoxManage showvminfo $VM_NAME)" | grep "IDE Controller" | grep "Empty (ejected)" > /dev/null
}


echo "Wait a while before checking for installer ISO ejection..."
sleep 5m

until isInstallerIsoEjected; do
    echo "Waiting for installer ISO to be ejected..."
    sleep 5
done

echo "Installer ISO was ejected. Wait a bit more..."
sleep 15
echo "Entering disk decryption password..."
VBoxManage controlvm $VM_NAME keyboardputstring $PASSWORD
VBoxManage controlvm $VM_NAME keyboardputscancode $ENTER_KEY_DOWN $ENTER_KEY_UP

I think it is fine to use a weak disk password supplied as a command-line argument here. It can be strengthened during provisioning on the target instance. The main idea here is to prepare a VM with disk encryption and auto-decrypt on reboot so that Packer’s communicator can succeed.

Don’t use spaces in the VM_NAME.

1 Like